Security Advisory - Published 2026-06-11 - Kubernetes / Fission

Fission CVE batch: Kubernetes serverless tenant-boundary self-check

Fission published a large advisory set around router exposure, archive storage, function runtime permissions, podSpec passthrough, namespace validation, and package handling. If Fission runs in a shared cluster, the business risk is tenant boundary failure: one function author getting more Kubernetes reach than the platform intended.

Defensive scope: this page covers cluster inventory, version checks, RBAC review, NetworkPolicy review, service account exposure, and upgrade planning. It does not include attack commands or crafted manifests.

Group the alerts by action

AreaCVEsWhat to verify
Router and internal function routesCVE-2026-46614Router exposure, ingress paths, and whether internal function routes are reachable outside trusted sources.
Storage, builder, and runtime secretsCVE-2026-46612, CVE-2026-46617, CVE-2026-46618Storage service access, builder command validation, and runtime service account permissions inside function namespaces.
Environment and Function podSpec safetyCVE-2026-50545, CVE-2026-50563, CVE-2026-50564, CVE-2026-50566Host namespaces, hostPath, privileged mode, serviceAccountName, and dangerous capabilities.
Namespace and reference validationCVE-2026-49821, CVE-2026-49822, CVE-2026-49823, CVE-2026-49824Package, secret, configmap, environment, and KubernetesWatchTrigger namespace boundaries.
Archive and capability handlingCVE-2026-50567, CVE-2026-50570Package archive extraction paths and capability allow/deny behavior.

Version check

fission version
kubectl get deploy,svc,ingress -n fission
helm list -A | grep -i fission

Several fixes land across 1.23.0, 1.24.0, and 1.25.0. For production clusters, target the newest supported Fission release you can run, then verify the router, webhook, executor, storage service, and builder components restarted.

Cluster exposure checks

kubectl get svc -n fission -o wide
kubectl get ingress -A | grep -i fission
kubectl get networkpolicy -n fission
kubectl auth can-i create environments.fission.io --as system:serviceaccount:default:example

Focus on who can create or update Fission Environment, Function, Package, and KubernetesWatchTrigger resources. If many developer identities can create these resources, treat the upgrade as urgent even when the public internet cannot reach the cluster.

What to review after patching

  • Fission router services should not expose internal function routes through the public listener.
  • NetworkPolicy should restrict internal Fission services to expected controller and trigger pods.
  • Admission webhooks should validate create and update operations.
  • Function, Environment, Package, Secret, ConfigMap, and KWT references should stay inside intended namespaces.
  • Runtime and builder pods should not inherit broad service account permissions unless the function explicitly requires them.
  • Package archives and deployment URLs should be treated as untrusted input.

Ping7 repair path

Ping7 can help review Fission version state, ingress exposure, RBAC, NetworkPolicy, service account scope, and suspicious function/package history. Use CVE Repair for owned clusters or client-approved environments, and include your Fission version, installation method, and whether the cluster is multi-tenant.

References